hectic-lab/util.nix
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: sentinella: update

Browse Source
This commit is contained in:
yukkop
2026-04-26 22:22:15 +00:00
parent 4fae68764c
commit 3ca4d4fb86
5 changed files with 99 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
.sops.yaml
View File

@@ -47,6 +47,20 @@ creation_rules:
- *hectic-lab-server - *hectic-lab-server
- *umbriel-bfs - *umbriel-bfs
- path_regex: sus/sentinella-default.yaml$
key_groups:
- age:
- *yukkop
- *yukkop-alt
- *nrv
- *bfs-server
- *bfs-pol-server
- *bfs-new-server
- *neuro-server
- *games-server
- *hectic-lab-server
- *umbriel-bfs
- path_regex: docs/.*\.md$ - path_regex: docs/.*\.md$
key_groups: key_groups:
- age: - age:

16
nixos/module/hectic/service/sentinèlla.nix
View File

@@ -100,10 +100,18 @@ in {
}; };
environmentFile = lib.mkOption { environmentFile = lib.mkOption {
type = with lib.types; nullOr path; type = with lib.types; nullOr path;
default = null; default = config.sops.secrets."sentinèlla/watcher/environment".path;
defaultText = lib.literalExpression
"config.sops.secrets.\"sentinèlla/watcher/environment\".path";
example = "config.sops.secrets.\"sentinella-watcher-env\".path"; example = "config.sops.secrets.\"sentinella-watcher-env\".path";
description = '' description = ''
Optional environment file for secrets. Supported variables: Environment file for secrets. Defaults to the auto-declared SOPS
secret sentinèlla/watcher/environment (resolved from
sus/sentinella-default.yaml in the flake). Override the sopsFile
via sops.secrets."sentinèlla/watcher/environment".sopsFile if you
need a host-specific file instead.
Supported variables:
TG_TOKEN= TG_TOKEN=
TG_CHAT_ID= TG_CHAT_ID=
PEERS_TOKEN= # Basic Auth token sent to all peers PEERS_TOKEN= # Basic Auth token sent to all peers
@@ -148,6 +156,10 @@ in {
}) })
(lib.mkIf cfg.watcher.enable { (lib.mkIf cfg.watcher.enable {
sops.secrets."sentinèlla/watcher/environment" = lib.mkDefault {
sopsFile = "${flake}/sus/sentinella-default.yaml";
};
systemd.services."sentinella-watcher" = { systemd.services."sentinella-watcher" = {
description = "sentinèlla watcher p2p peer monitor"; description = "sentinèlla watcher p2p peer monitor";
after = [ "network.target" ]; after = [ "network.target" ];

12
nixos/system/hectic-lab/sentinèlla.nix
View File

@@ -5,7 +5,7 @@
domain, domain,
sslOpts, sslOpts,
... ...
}: { config, ... }: let }: { ... }: let
port = 5869; port = 5869;
in { in {
hectic.services."sentinèlla" = { hectic.services."sentinèlla" = {
@@ -18,17 +18,11 @@ in {
peersDns = "peers.${domain}"; peersDns = "peers.${domain}";
peersPort = port; peersPort = port;
pollingIntervalSec = 60; pollingIntervalSec = 60;
# TG_TOKEN= and TG_CHAT_ID= are set via this environment file # TG_TOKEN= and TG_CHAT_ID= are read from sus/sentinella-default.yaml
# Add the following to sus/hectic-lab.yaml under sentinèlla/watcher/: # (auto-declared by the module as sops.secrets."sentinèlla/watcher/environment")
# environment: |
# TG_TOKEN=<bot-token>
# TG_CHAT_ID=<chat-id>
environmentFile = config.sops.secrets."sentinèlla/watcher/environment".path;
}; };
}; };
sops.secrets."sentinèlla/watcher/environment" = {};
services.nginx = { services.nginx = {
virtualHosts."probe.${domain}" = sslOpts // { virtualHosts."probe.${domain}" = sslOpts // {
forceSSL = true; forceSSL = true;

63
script/update-sops-keys Executable file
View File

@@ -0,0 +1,63 @@
#!/usr/bin/env sh
# Update SOPS keys for every encrypted file in the project.
# Discovers files by matching path_regex rules from .sops.yaml —
# no directories are hardcoded.
#
# Usage: script/update-sops-keys [--dry-run]
set -eu
REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
DRY_RUN=0
for arg in "$@"; do
case "$arg" in
--dry-run) DRY_RUN=1 ;;
*) printf 'unknown argument: %s\n' "$arg" >&2; exit 9 ;;
esac
done
SOPS_CONFIG="$REPO_ROOT/.sops.yaml"
if [ ! -f "$SOPS_CONFIG" ]; then
printf 'error: .sops.yaml not found at %s\n' "$SOPS_CONFIG" >&2
exit 1
fi
# Extract every path_regex value from .sops.yaml.
# Lines look like: - path_regex: some/pattern$
regexes="$(grep '^\s*-\s*path_regex:' "$SOPS_CONFIG" | sed 's/.*path_regex:[[:space:]]*//')"
if [ -z "$regexes" ]; then
printf 'no path_regex rules found in .sops.yaml\n' >&2
exit 0
fi
# Collect all repo files (committed + untracked, excluding .gitignore).
# Write matches to a temp file to avoid subshell variable scoping issues.
tmp="$(mktemp)"
trap 'rm -f "$tmp"' EXIT
git -C "$REPO_ROOT" ls-files --cached --others --exclude-standard | while read -r rel; do
for regex in $regexes; do
if printf '%s\n' "$rel" | grep -qE "$regex"; then
printf '%s\n' "$rel" >> "$tmp"
break
fi
done
done
if [ ! -s "$tmp" ]; then
printf 'no matching sops files found\n'
exit 0
fi
while read -r rel; do
abs="$REPO_ROOT/$rel"
[ -f "$abs" ] || continue
if [ "$DRY_RUN" -eq 1 ]; then
printf '[dry-run] would updatekeys: %s\n' "$rel"
else
printf 'updating keys: %s\n' "$rel"
sops updatekeys --yes "$abs"
fi
done < "$tmp"

5
sus/sentinella-default.yaml Normal file
View File

@@ -0,0 +1,5 @@
sentinèlla:
watcher:
environment: |
TG_TOKEN=
TG_CHAT_ID=